一、Kubernetes Dashboard安裝步驟
1. 集群master節點執行如下命令:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
2.查看pod運行情況,Runing說明正常運行
kubectl get pod -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-78f5d9f487-l8xfs 1/1 Running 0 2m19s
kubernetes-dashboard-577bd97bc-69fq5 1/1 Running 0 2m19s
3.查看dashboard的service狀況,默認為ClusterIP,只能在集群內部訪問
kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.105.243 <none> 8000/TCP 3m43s
kubernetes-dashboard ClusterIP 10.100.158.78 <none> 443/TCP 3m43s
4.修改dashboard的service為NodePort
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kubernetes-dashboard
通過打補丁的方式修改service的type為NodePort
kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.105.243 <none> 8000/TCP 7m28s
kubernetes-dashboard NodePort 10.100.158.78 <none> 443:30377/TCP 7m28s
再次查看service類型已經修改為NodePort,端口為30377,隨機生成,用於后面登錄
5.查看默認的serviceaccount用戶名字
kubectl get serviceaccount -n kubernetes-dashboard
NAME SECRETS AGE
default 1 3m2s
kubernetes-dashboard 1 3m2s
該用戶用於登錄dashboard,管理集群相關信息。
6.查看kubernetes-dashboard用戶secrets信息
kubectl describe serviceaccounts kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Namespace: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-token-kq9mm
Tokens: kubernetes-dashboard-token-kq9mm
Events: <none>
7.獲取kubernetes-dashboard用戶的token信息,用於ssl登錄認證
kubectl describe secrets kubernetes-dashboard-token-kq9mm -n kubernetes-dashboard
Name: kubernetes-dashboard-token-kq9mm
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 7162662b-327f-450f-9043-2f37776da296
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlYjhnb2ZPYndKYThsSWJJZUpCcWtOWlNtMlVESHgzQ0hvOVQ3VjIyNVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1rcTltbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjcxNjI2NjJiLTMyN2YtNDUwZi05MDQzLTJmMzc3NzZkYTI5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.bNqFeGg4NhZs3oVf7tUh1Nvw2yM3W6BXJ4qNVCfBKOjhHM15V_uGAU7rt22Phihy3gUW2kK9IPu_FvzdclThDYkF1d7wkaCIy_erfzFtv7t79Vv5vKuQfbNri1OP5W-V3a9d5yOHF0gAKNqKOhAb-VTuR9NtCafgpe7nulUwT1b9mEO6pjNICOBy-ilLOCPcqvo0ARufcErA6Adt9LP15fE0y43Rjq3Var7QWK22FxsiN-riuloXRPciLN9a5Z3cnFm0NRZTZK7Bv7VUV5vx6XGEddYMbYC-o9EqCaa9b-GGha1Tf0yhgX0lY90ifMMase40ya2QRFHdjmzIalMIyw
8.訪問master節點30377端口,注意為https協議。
https://10.0.0.21:30377
點擊繼續前往,也可以直接在鍵盤輸入thisisnotsafe,回車即可。
選擇token,復制第7步查到的token,點擊登錄。
登錄之后會發現有許多錯誤信息,是因為dashboard默認創建的用戶所綁定的角色權限不夠。
9.查看kubernetes-dashboard用戶綁定的集群角色,為kubernetes-dashboard角色
kubectl describe clusterrolebinding kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Labels: <none>
Annotations: Role:
Kind: ClusterRole
Name: kubernetes-dashboard
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount kubernetes-dashboard kubernetes-dashboard
10.查看kubernetes-dashboard角色權限信息,發現只有node和pod的get,list,watch權限
kubectl describe clusterrole kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
11.創建一個新的用戶dashboard-admin
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
12.使用clusterrolebinding為該用戶綁定cluster-admin權限,該權限擁有整個集群的管理員權限
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin
13.獲取新管理員用戶的token
kubectl describe sa dashboard-admin -n kubernetes-dashboard
Name: dashboard-admin
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-admin-token-jq8t4
Tokens: dashboard-admin-token-jq8t4
Events: <none>
kubectl describe secrets dashboard-admin-token-jq8t4 -n kubernetes-dashboard
Name: dashboard-admin-token-jq8t4
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 507a6b02-7747-43f9-a7bb-38c52f2eb85f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlYjhnb2ZPYndKYThsSWJJZUpCcWtOWlNtMlVESHgzQ0hvOVQ3VjIyNVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tanE4dDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTA3YTZiMDItNzc0Ny00M2Y5LWE3YmItMzhjNTJmMmViODVmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.UR0bmhfcPtgIVF41Ozqx6peKu-VRlIExX6Is8Xhwq0kl0vL64vP187iRXtED-WoRPCF55BR87qL9wwSe6qTr76MCFHuEFU4gycscy6A0ahRklI5nYROkEHskV4B_lCrA-Q_IcGECEwPIhL91KH47sWNxUe5D1UL3k1j0rmw98Ur3oKhTRLN96L28rir7RSk1rAEFSGjjmqoT_Xi4pbmiMHjveI-XiSKZMEtrSgnPc-txGceQxhmUqXCjMqE2VSKetKfXgTyNmTR9y4xcHsaYYg_UwaICVMmWLg-xwgQmrKHGZmpHk6x-2lQPBuKFD8YNMYNC8nj_mRLQWYPq_xegyg
14.使用新管理員用戶的token登錄
一切顯示正常。